Rights Management Service (RMS) is an add-on to many RMS aware applications. In this article my main focus is to explain how we can utilize RMS technology with Exchange 2003 and how we can take advantage of RMS technology to increase the email security

Monday, March 26, 2018

If you have multiple domains or performing a user or group migration,
you may need to manually update (depend on your scenario) the source or target group
membership.This script can be used to update
group membership based on source user’s group membership.The input for this script the user name (sAMAccountName)
and it assumes that the source and target sAMAccountName are the same.

Input file (Users.csv)
Format:

Script validates users in the source domain and collect “memberof”
details and then add the target user (migrated user) to the same group. At the
end of the operation, the source user and the target user (migrated user) will
be part of same security group in the source domain.

This script provides the group membership details based on
user name. You can include all user
names in an input file (Users.csv) in the following format:

Script uses Get-ADUser
cmdlet to validate the user first then get the user membership using the “memberof”
properties.Output/report will be in the
GMReport_$Cdate.csv file.Error message
will be captured in Error_$Cdate.csv file.

Microsoft Advanced Threat Analytics (ATA) is an user and entity behavior analytics solution to identify and protect protect organizations from advanced targeted attacks (APTs). You can read more information about Microsoft Advanced Threat Analytics (ATA) here. The purpose of this blog is to provide a few methods which can be used to simulate and demonstrate some of the basic attacks for demo and testing purpose.

Suspicious Activity Simulation #1 – ATA Gateway Stopped Communicating

We will start with the most obvious one! – ATA communication issue. In this scenario, I am using ATA Light Weight Gateway(LWGW). In this case Microsoft Advanced Threat Analytics Gateway (ATAGateway) service should be running on Domain Controllers.

To simulate this scenario,

Identify all Domain Controllers from the forest/domain. You can use the following DSQUERY command to get all DCs from the domain.

DsQuery Server -Forest

Stop the ATAGateway service remotely

Here are a few scripts - Script1 or Script2 or Script3 – if you want to go a script based approach

Or we can use a simple SC command – SC \\Lab-DC01 stop ATAGateway

You will receive the following high alert – ATA Gateway Stopped Communicating – in Health Center.

Suspicious Activity Simulation #2- Honey Token Account Activities

In general, the Honey Token accounts are non-interactive accounts. These accounts can be dummy accounts for detect malicious activities.

You will receive the Massive Object Deletion alert in the ATA console right away as shown below.

Suspicious Activity Simulation #4 - Reconnaissance using DNS

The DNS or name resolution information in a network would be useful reconnaissance information. In general, DNS data contains a list of all the servers and workstations and the mapping to their IP addresses. Verifying this information may provide attackers with a detailed view of the environment allowing attackers to focus their efforts on the relevant entities.

For this simulation, the plan is to perform a DNS zone lookup using NSLOOKUP LS command.

Microsoft Azure MFA on-premises server supports a time based OATH (OATH – TOTP) third party tokens. This is an alternative to using the Azure Authenticator Mobile App as an OATH token. You can see other MFA authentication options in my Azure MFA Server–Authentication Types (Part I) and Azure MFA Server–Authentication Types (Part II) blogs. The OATH tokens can be added or imported prior to being associated with a user. Administrators can associate users and tokens in the Multi-Factor Authentication Server or the User Portal. Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality. A bulk token import and configuration is also supported by MFA Server . An administrator can import OATH Token records from an input file . The secret keys must be in Base32 format.

Serial Number – Required. Enter the serial number of your SafeID. This will be in the back of the Secret Keyas shown below or it will be the email you received from DeepNet.

Secret Key – Required. This is the Secret Key (Base32). You have to receive this information from DeepNet. You will receive an email from Deepnet with Secret Key after the purchase

Manufacturer – Optional. Enter DeepNet Security as the manufacturer.

Model – Optional. Enter SafeID as model type.

Start date – Optional

Expiration date – Optional

Timeinterval – Required. Select 60 seconds.

Username: Associate a user with this OATH token. You can manually enter the username or Select Useroption to identify a user.

Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.

Enter the current code from DeepNet SafeID from the Synchronize OATH Token window to complete token configuration in MFA Server. Click OK.

Note1: MFA server validates the OATH code against the OATH token secret key and synchronizes the OATH token's time if they are valid. If there are not valid, you will see the following error message:

Note2: Azure Multi-Factor Authentication Server supports bulk import of token records by using an input CSV file. The file must be in a supported format and may be partially or fully encrypted with a password.

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Could not load file or assembly ‘PfPskcClr, Version=0.0.0.0, Culture=neutral, PublicKey Token=null’ or one of its dependencies. A strongly-named assembly is required. (Exception from HRRESULT:0X8013100)

Microsoft Azure MFA on-premises server supports a time based OATH (OATH – TOTP) third party tokens. This is an alternative to using the Azure Authenticator Mobile App as an OATH token. You can see other MFA authentication options in my Azure MFA Server–Authentication Types (Part I) and Azure MFA Server–Authentication Types (Part II) blogs. The OATH tokens can be added or imported prior to being associated with a user. Administrators can associate users and tokens in the Multi-Factor Authentication Server or the User Portal. Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality. A bulk token import and configuration is also supported by MFA Server . An administrator can import OATH Token records from an input file . The secret keys must be in Base32 format. This blog provides step-by-step instructions in configuring YubiKey OATH token with Microsoft Azure MFA server.

Requirements:

The following are the pre-requirements to complete this configuration.

Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens. So you need to make sure that your YubiKey is in Yubico OTP Mode using the YubiKey Personalization Tool. Other configurations are optional for Microsoft Azure MFA server configuration and testing.

The YubiKey Personalization Tool can be used to program the two configuration slots. Also, it can be used to personalize the YubiKey in the following modes:

Username: Select the user for this OATH token. You manually enter the username or Select User option to identify a user.

Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.

Generate a new OATH from Yubico Authentication app using the button.

Enter this code in the Synchronize OATH Token window to complete token configuration in MFA Server.

Note1: MFA server validates the OATH code against the OATH token secret key and synchronizes the OATH token's time if they are valid. If there are not valid, you will see the following error message:

Note2: Azure Multi-Factor Authentication Server supports bulk import of token records by using an input CSV file. The file must be in a supported format and may be partially or fully encrypted with a password.

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Could not load file or assembly ‘PfPskcClr, Version=0.0.0.0, Culture=neutral, PublicKey Token=null’ or one of its dependencies. A strongly-named assembly is required. (Exception from HRRESULT:0X8013100)

Azure MFA Server – End User Validation Using YubiKey OATH Token

The final step in this process is to validate the YubiKey configuration and authentication experience from an end user perspective.

To configure OATH token as the authentication type for an end user:

From Multi-Factor Authentication Server UI, Select Users icon

From right pane, open the user properties by double clicking the user object.

This will open User Properties / Edit User window as shown below. Make sure that the OATH Token is selected as the authentication type for this test user.

To validate this configuration, select out test user object and from the bottom of the window, select Test option.

User will be prompted for first /primary authentication using a user name and password. Enter the Username and Password for the user, then click Test.

Then it will prompt you for the secondary authentication. In this scenario, it the OATH Code.

To generate a new OATH code, open Yubico Authenticator App and pressing the button . The OATH code will be displayed as shown below:

Enter the current OATH code in the OATH Code in the MFA application window. Click OK.